Skip to content

Service Registration#

To register a service in B2ACCESS, you need to provide some general information and some protocol specific information. Both are mandatory to register a new services at B2ACCESS.


Note that you can test the registration of your service(s) also on a testing/development instance. In that case, replace all of the following URLs by

You MUST provide the following information to register a new service:

  • Service name
  • Service description
  • URL to data privacy statement
  • Service administrative contact (list preferred)
  • Service security contact (list preferred)
  • Site security contact (your local CERT)
  • Further protocol specific information (see subsection)
  • Postal adress of the organisation, providing the service

OAuth2/OIDC service#

Additional protocol specific information, which are needed to register the service:

  • OAuth return URL
  • Client Logo (png format)

You can register a new service, using OAuth2/OIDC by yourself. You browse to the B2ACCESS oauth home endpoint and click on “No account? Sign up.” in the upper right corner. Make sure that you are not logged in, otherwise the link is not displayed. In next menu select “Oauth2/OIDC client Registration” which is the first item. Fill in all necessary information. The username is the client ID and the password is the client secret. By submitting the request the AAI administrators are informed about your request and will review it. The client can not be used unless it was accepted by the AAI administrators.

The mandatory URLs of the B2ACCESS are:

  • OAuth home endpoint:
  • Issuer:
  • Authorization endpoint:
  • Token endpoint:
  • Introspection endpoint:
  • Revocation endpoint:
  • Discovery URL:

Token revokation#

The path /revoke can be used to revoke an access token which was previously issued. This endpoint is implemented according to the RFC 7009, with the following Unity specifics:

  • The token_type_hint is a mandatory argument, must be always provided (in RFC it is optional). The allowed values are access_token and refresh_token.
  • The endpoint access is authorized implicitly by providing a valid token to be revoked. The client_id must be always given.

Typical usage:

POST /.../revoke HTTP/1.1
Host: ...
Content-Type: application/x-www-form-urlencoded


SAML service#

Additional protocol specific information, which are needed to register the service:

  • Entity ID
  • Return URL
  • Client Logo (Link to a png file)

Self registration of SAML services are not possible. You need to contact us and provide all of the information above. The AAI administrators will prepare the integration and come back to you to finish the integration.

The mandatory information about the B2ACCESS IdP are:

  • Entity ID:
  • Metadata URL:
  • Authentication Request Message:
  • SLO:

Further information about Policies and security#

For policy reasons you MUST provide:

  • Service Security Contact: this contact MUST be able to provide information about user logins to the security people in case of a security incident. This contact is invited to register at the Infrastructure Security Point described in the Security Incident Response.
  • Privacy Policy: This is a legal requirement. Luckily we do have a GDPR compliant PP template into which you only have to insert the specifics of your service.

WIP—Needs to be updated#

Additionally, you need to accept and abide by the following policies:


Last update: 09.02.2024